Many companies use contract manufacturers (CMs) to produce products. A CM uses a company's design information to make products that the company may sell under its name. For electronic systems, the design information may include proprietary information, such as configuration data, of the company. For example, the configuration data may be a configuration bitstream for field programmable gate array (FPGA) logic that is embedded in the product or program code to be executed by a processor that is embedded in the product.
In order to protect against unauthorized use of the configuration data, encryption techniques have been used to hide the design information embodied in the configuration data. The company providing the configuration data may encrypt the configuration data, and the encrypted configuration data is downloaded to a target device. The target device then decrypts the configuration data for configuring the programmable logic or executing program code. In order to protect the design information in the encrypted configuration data, the key used by the device to decrypt the configuration data may also be encrypted. That is, a “black key,” which is an encrypted key, is downloaded to the device. When the device needs to decrypt the configuration data, it first decrypts the black key, and uses the decrypted key to decrypt the configuration data.
Use of a black key may still leave the company vulnerable to unauthorized use of the design information in the encrypted configuration data. For example, a dishonest contract manufacturer might obtain the key used to encrypt the black key, decrypt the black key, and then decrypt the encrypted configuration data.
To protect against a dishonest CM obtaining the key for decrypting the black key, a Diffie-Hellman key exchange (DHKE) function may be used. The DHKE function is downloaded to the target device, and the target device and a configuration controller use the DHKE function to securely provide a key from the configuration controller to the target device. However, the DHKE approach may allow an adversary to reverse engineer the DHKE function on the target device, modify the key exchange function to emit the key, and then load the modified key exchange function on the target device. The modified key exchange function on the target device may then reveal the key to the adversary.